Resubmissions

11-03-2023 15:20

230311-sqvv2abh7w 7

11-03-2023 13:56

230311-q8tpksbf8y 10

Analysis

  • max time kernel
    114s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2023 13:56

General

  • Target

    conti/locker.exe

  • Size

    1.4MB

  • MD5

    f9f2b0dca4ff4365b98599afb5c1e14e

  • SHA1

    9cac04b31f29b81c89cfd840e160a1185768c699

  • SHA256

    2b19e130390bf1a65c40a909a3dc5ce2af96d921d2bb4949724be9085e0abbe7

  • SHA512

    52d586efaeea2e3350e08ce53b3b8fef63c4cd22eab757aa7d42a6534011d505ad14c39b59d70f45a17ed0035bc234fd0dffef209739a81cae8841b214d1308a

  • SSDEEP

    12288:GZH7AAO2VRbDEsLC3L79iiauuxJ8QahIha4B7ByfdoiUriupSezaVm:GZH7Hc3L7yJGhIha4B1yfui8b2m

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\conti\locker.exe
    "C:\Users\Admin\AppData\Local\Temp\conti\locker.exe"
    1⤵
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{01268568-5513-4879-B5BA-55AAC12E84B7}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3508
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{01268568-5513-4879-B5BA-55AAC12E84B7}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:736
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1068
      2⤵
      • Program crash
      PID:868
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4396
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2584 -ip 2584
    1⤵
      PID:2144

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\R3ADM3.txt

      Filesize

      16B

      MD5

      c8a54401701d688fe98cdcddded2cfd7

      SHA1

      a0edc8f3d7478982def3b3ccd68ee5deba023d00

      SHA256

      9d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f

      SHA512

      7e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e

    • memory/2584-133-0x0000000000F80000-0x000000000118B000-memory.dmp

      Filesize

      2.0MB

    • memory/2584-1927-0x0000000000F80000-0x000000000118B000-memory.dmp

      Filesize

      2.0MB

    • memory/2584-3640-0x0000000000F80000-0x000000000118B000-memory.dmp

      Filesize

      2.0MB